Re: SSO - Kerberos
This is a discussion on Re: SSO - Kerberos ; "Michael B Allen" writes:
> If you read the whole thread you'd know I'm only talking about the
> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
> whereas with WebAuth you might need to.
...
-
Re: SSO
"Michael B Allen" writes:
> If you read the whole thread you'd know I'm only talking about the
> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
> whereas with WebAuth you might need to.
You're making a bogus comparison. If you don't have to type in passwords
with SPNEGO Negotiate-Auth, you don't have to type in passwords with
WebAuth either; it can use SPNEGO Negotiate-Auth for initial
authentication. In the Negotiate-Auth case, the password handling is
exactly the same, which one would expect given that it's using exactly the
same protocol and mechanism. (Cosign I think requires the ticket cache on
the central login server, so does introduce the twist of delegation.)
The difference does not lie in SPNEGO handling; it lies in the
architectural complexity, in what the fallback looks like when
Negotiate-Auth doesn't work, and in the delegation and authentication
persistance model.
--
Russ Allbery (rra@stanford.edu)
